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BACKGROUND OF THE INVENTION 

The present invention relates to an 
information processing method, and in particular, to a 
technique employed for a tamper resistant device such 
5 as an IC card having high confidentiality. 

Description of the Related Art 

In CRT (Chinese Remainder Theorem) 
calculation which is used as fast algorithm for RSA 
cryptosystem, a remainder x mod P is calculated in the 

10 first step of the calculation. Fig. 1 is a flow chart 
showing a processing flow of a CRT calculation method. 
First, a modular exponentiation operation is done to a 
value reduced in modulo P (1010) while another modular 
exponentiation operation is done to a value reduced in 

15 modulo Q (1020) . Finally, the results of two modular 
exponentiation operations are combined to obtain the 
end result (1030) . In the first step of each modular 
exponentiation operation (1010, 1020) with regard to 
the value reduced in modulo P or Q, the remainder of x 

20 modulo P or Q (P, Q: secret exponents) has to be 

obtained. The modular exponentiation operation can be 
carried out by repeating modular multiplication. 

For the exponentiation calculation in the 
steps 1010 and 1020, the so-called "addition chain" 
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method is generally used. In an addition chain for 
calculating Z = A^L for example, the exponent L is 
expressed in a binary form as: 

L = L[n-1]*2* (n-1) + L [n-2 ] *2 A (n-2 ) + ... 
5 + L[l]*2*l + L[0]*2^0 ...(1) 

where the operator ,f/v " means power and "*" means 
multiplication . 

Using the low of exponent in which the addition in the 
exponent means multiplication and the multiplication in 

10 the exponent means power, the calculation Z = A^L is 
expressed as: 

Z := (••• ( ( (A A L[n-l] ) A 2 * (A A L [ n— 2 ] ) ) A 2 * - * 

(A-L[0] ) ... (2) 

The value A^L[i] equals A when L[i] = 1 and 1 when L[i] 

15 = 0, therefore, omitting the multiplications by 1 (when 
L[i] =0), Z = A A L can be calculated by performing 
several multiplications for the bits 1 in the binary 
expression of L and performing squaring calculation m-1 
times . 

20 The above calculation can be represented by the 
following program: 
Z=l 

for (i = n-1; i >= 0; i++) { 
W := W*W; 

25 if (L[i]==l) then Z := Z*A; else W := W*l; 

} 

Methods for the modular multiplication can be 
classified into two groups: those employing Montgomery 
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modular multiplication and others. 

Fig. 2 is a flow chart showing a processing 
flow of the modular exponentiation operation by the 
addition chain when the Montgomery modular 
5 multiplication is employed. In Fig. 2, "n" denotes the 
number of bits enough for storing P. First, the 
remainder of x modulo P (the remainder of x divided by 
P) is obtained (2020) . Since each multiplication in 
the Montgomery modular multiplication involves 

10 multiplication by 2^ (-n) mod P, the operand is 

previously multiplied by 2^n (hereafter, R = 2^n) . The 
operation multiplying the operand by R is also carried 
out by the Montgomery modular multiplication. The 
value A = x mod P is multiplied by previously 

15 calculated R^2 by means of the Montgomery modular 

multiplication, by which xR mod P is obtained (2040) . 
Since the Montgomery modular multiplication is 
employed, the initial value of the operation is set not 
to 1 but to R (1 multiplied by R) (2050) . In the 

20 multiplication process, each bit of the exponent will 
be extracted one by one starting from the most 
significant bit, therefore, a value n-1 indicating the 
position of the most significant bit is first set to a 
counter i (2050) . Subsequently, whether each bit value 

25 of the exponent is 1 or not is checked starting from 
the highest bit (2060) . If the bit value is 0 (NO in 
the step 2060), the current value W is multiplied by R 
(which means 1) (2070) . Meanwhile, if the bit value is 



1 (YES in the step 2060), the current value W is 
multiplied by A__R = xR mod P (2080) . Incidentally, 
since the step 2070 for multiplying by R (meaning 1) 
has no effect on the calculation result, it can be 
5 omitted when the processing speed is important. 

Subsequently, the bit position counter i is decremented 
by 1 (2090) and whether the bit position has reached 
the least significant bit or not is checked (2100) . If 
the bit position has not reached the least significant 

10 bit (YES in the step 2100), the current value is 

squared (2110) and the process from the step 2060 is 
repeated for the next bit of the exponent. If the 
process has already finished for the least significant 
bit (NO in the step 2100), the current value W is 

15 simply multiplied by the factor 2^ (-n) in order to 

eliminate the effect of the previous multiplication by 
2^n. In the Montgomery modular multiplication, 
obtaining the product of the operand and 1 is 
equivalent to multiplying the operand by 2 A (-n) (2120). 

20 Finally, when the result is P or more (YES in step 

2130), P is subtracted from the result (2140). In the 
above processing flow, the result of the modular 
calculation of the step 2020 changes sharply depending 
on whether x is larger or smaller than a multiple of P 

25 (3010) as shown in Fig. 3, therefore, the step or the 
behavior might be used as an attack point. 

Fig. 4 is a flow chart showing a processing 
flow of the modular exponentiation operation by the 



addition chain when a modular multiplication method 
other than the Montgomery modular multiplication is 
employed. In Fig. 4, the bit length of P is expressed 
as "n". First, the remainder of x modulo P is obtained 
5 (4020) . Similarly to the above example employing the 
Montgomery modular multiplication, there is a 
possibility, that the calculation of the remainder 
modulo P might become an attack point. The initial 
value of the operation is set to 1 since an ordinary 

10 modular multiplication method is used, and a value n-1 
indicating the position of the most significant bit is 
first set to a counter i so that each bit of the 
exponent will be extracted one by one starting from the 
most significant bit (4040) . Subsequently, whether 

15 each bit value of the exponent is 1 or not is checked 

starting from the highest bit (4050) . If the bit value 
is 1 (YES in the step 4050) , the current value W is 
multiplied by A = x mod P (4070) . If the bit value is 
0 (NO in the step 4050), the current value W is 

20 multiplied by 1 (4060) . Incidentally, the step 4060 
for multiplying by 1, having no effect on the 
calculation result, can be omitted when the processing 
speed is important. The step 4070 might also become an 
attack point since the value of A = x mod P is used for 

25 the operand. Subsequently, the bit position is shifted 
rightward by 1 bit by decrementing the bit position 
counter i by 1 (4080) and whether the bit position has 
reached the least significant bit or not is checked 
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(4100) . If the bit position has not reached the least 
significant bit yet (YES in the step 4100), the current 
value W is squared (4090) and the above process is 
conducted for the next bit of the exponent. When the 
5 process is completed for the least significant bit (NO 
in the step 4100), the current value W becomes the 
final result of the operation. 

As described above, in either case using or 
not using the Montgomery modular multiplication, the 
10 remainder of x modulo P has to be obtained at the first 
step of the operation, and thus there is a possibility 
that the modular calculation might become an attack 
point . 

The RSA cryptosystem is a cryptographic 
15 technology generally used for authentication, sending a 
private key (secret key) , etc. as a standard, and the 
reliability and safety of its calculation method have 
great importance for financial uses etc. Although a 
method employing the Chinese Remainder Theorem is 
20 widely used today as fast algorithm for the RSA 

cryptosystem, a modular calculation modulo P (P: secret 
prime) has to be conducted in the first step of the 
algorithm. The modular calculation, using the secret 
prime P explicitly, has been a target of attack from 
25 long ago. What becomes a problem in the modular 
calculation modulo P is that when x is close to a 
multiple of P (3010) as shown in Fig. 3, x mod P takes 
on large values (x mod P = P) if x < kP, while taking 



on small values (x mod P = 0) if x > kP. Due to the 
rapid change of x mod P across the boundary kP, there 
is a danger that whether the input x is larger or 
smaller than the secret exponent P might be detected as 
5 side channel information (electric current, etc.)- The 
RSA cryptosystem is regarded as safe based on the fact 
that the product N of large prime numbers P and Q 
(approximately 512 bits at present) can not be 
factorized easily, and the number N as the product of 

10 the prime numbers P and Q is disclosed to the user as 

part of the public key. However, if the secret prime P 
or Q leaks out, the other secret prime Q = N/P or P = 
N/Q can be calculated easily and consequently, the 
private key d can be obtained by calculating the 

15 inverse element of the public key e modulo (P-l) (Q-l) . 
The inverse calculation can be carried out easily by 
extended Euclid's algorithm. 



SUMMARY OF THE INVENTION 

It is therefore the primary object of the 

20 present invention to provide an information processing 
method or calculation method capable of carrying out 
the modular calculation for the CRT (Chinese Remainder 
Theorem) safely and at high speed. 

In an information processing method in 

25 accordance with an aspect of the present invention, x 
mod P is calculated not directly, but x* (2^n) mod P is 
calculated by previously multiplying x by 2^(m+n) mod P 



or 2 A (2n) mod P and multiplying the result by 2* (-m) or 
2 /s (-n) afterward. The number P, being a large prime 
number, is necessarily an odd number and thus is 
relatively prime with any power of 2. Hence there 
5 necessarily exists 2 A (-m) mod P or 2 A (-n) mod P. 

Further, even when the input x is close to P, the value 
of x*(2 A n) mod P does not change rapidly depending on 
whether x is larger or smaller than P, and x* (2 A n) mod 
P has a bit length close to that of P. By virtue of 

10 the above characteristics, it becomes impossible to 

estimate whether x is larger or smaller than P based on 
the leaked information, by which the leakage of the 
private key can be prevented- In the case where the 
Montgomery modular multiplication is employed, the 2 A n- 

15 multiplied form of the expression exactly follows the 

Montgomery field, therefore, the subsequent process can 
be conducted according to the conventional processing 
flow. 

On the other hand, when the Montgomery 
20 modular multiplication is not employed, a correct 

result can be obtained by compensating for the effect 
of the multiplication by 2 A n mod P, by multiplying the 
result of the exponentiation operation by (2 /N (- 
n) ) " (2 A n-l) mod P. 
25 When a modular multiplication method other 

than the Montgomery modular multiplication is employed, 
multiplication and squaring are carried out and 
thereafter the result is multiplied by R A (-2) mod P. 



- 9 - 

It is also possible to previously calculate R A (-2m) mod 
P and finally correct the result by multiplying by R A (- 
(2 A m)+l) mod P. 

The objects and features of the present 
5 invention will become more apparent from the 

consideration of the following detailed description 
taken in conjunction with the accompanying drawings. 

BRIEF DESCRIPTION OF THE DRAWINGS 

Fig. 1 is a flow chart showing a processing 
10 flow of a typical CRT calculation method for RSA 
crypt osyst em; 

Fig. 2 is a flow chart showing a processing 
flow of a conventional modular exponentiation operation 
for the CRT calculation method when Montgomery modular 
15 multiplication is employed; 

Fig. 3 is a graph showing the relationship 
between the input x and the result of modular 
calculation x mod P (P: secret prime) ; 

Fig. 4 is a flow chart showing a processing 
20 flow of a conventional modular exponentiation operation 
for the CRT calculation method when a general modular 
multiplication method is employed; 

Fig. 5 is a flow chart showing a secure 
modular calculation process employing Montgomery 
25 modular multiplication in accordance with an embodiment 
of the present invention; 

Fig. 6 is a flow chart showing another secure 
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modular calculation process employing Montgomery 
modular multiplication in accordance with another 
embodiment of the present invention; 

Fig. 7 is a flow chart showing a part of the 
5 secure modular calculation process employing Montgomery 
modular multiplication; 

Fig. 8 is a flow chart showing a secure 
modular exponentiation process employing Montgomery 
modular multiplication in accordance with another 
10 embodiment of the present invention; 

Fig. 9 is a flow chart showing a part of the 
secure modular exponentiation process; 

Fig. 10 is a flow chart showing another part 
of the secure modular exponentiation process; 
15 Fig. 11 is a flow chart showing another part 

of the secure modular exponentiation process; 

Fig. 12 is a graph showing the bit length and 
humming weight of x mod P (x: input, P: secret prime) 
according to a conventional calculation method; and 
20 Fig. 13 is a graph showing the bit length and 

humming weight of x*2^n mod P (x: input, P: secret 
prime) according to the present invention. 



DESCRIPTION OF THE EMBODIMENTS 

Referring now to the drawings, a description 
25 will be given in detail of preferred embodiments in 
accordance with the present invention. 

Fig. 5 is a flow chart showing an embodiment 
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of the present invention in which the Montgomery 
modular multiplication is employed. In Fig. 5, the 
number "m" denotes a bit length necessary for storing 
the input x and "n" denotes a bit length necessary for 
5 storing P. The number m is necessarily larger than or 
equal to n (m > n) since 0 < x < P*Q. First, U = 2^m 
mod P and U_SQR = 2^(2n)U mod P are calculated (5030). 
Incidentally, the above symbol "_" is used in this 
document to mean subscript. A detailed processing flow 

10 for calculating U_SQR = 2^(2n)U mod P is shown in Fig. 
7. While Fig. 7 shows a procedure for calculating 
2^L*U mod P, it can be used directly by substituting 2n 
into L (L = 2n) . The bit length of U_SQR equals that 
of the longer one of m - 2n and n. The calculation of 

15 the step 5040 can be expressed as: 

A_R = (x*U_SQR + M*P)/2 A m ...(3) 
As x < 2^m and M < 2^m hold, the following inequality 
holds : 

A_R < U_SQR + P ... (4) 

20 As the bit length of P is n or less, the bit length of 
A_R can be described as MAX (m-2n, n) . Letting the bit 
length of A_R be n or less requires: 

m-2n < n ... (5) 

that is: 

25 m < 3n ... (6) 

In ordinary cases, m = 2n < 3n holds and thus the bit 
length of A_R equals n. In order to carry out step 
5050, the result of the step 5040 is required to be n 



or less. When the condition m < 3n is not satisfied, 
another method of Fig. 6 in accordance with another 
embodiment of the present invention is carried out. 
The process of the step 5050 can be represented by a 
5 differently expression as: 

(A_R + (-A_R*P A (-1) mod 2 A n)*P)/2 A n ---(7) 
Since A_R < 2 A n and (-A_R*p /s (-1 ) mod 2^n) < 2 A n hold, 
the following inequality is satisfied: 

(A_R + (-A_R*P A (-1) mod 2 A n) *P) /2 /N n < 1 + P .-.(8) 
10 Therefore, A_R after the step 5050 does not exceed P 

and thus can be expressed by n bits. Incidentally, A_R 
becomes equal to P in the step 5050 only when x is a 
multiple of P. The process of the steps 5030 through 
5050 can be expressed as follows: 
15 A_R s x*2" (2n) *2 A m*2 A (-m) *2 A (-n) mod P ... (9) 

s x*2 A (2n+m-m-n) mod P ...(10) 
= x*2 A n mod P ... (11) 

The subsequent process after the step 5050 can be 
conducted according to the aforementioned process 
20 starting from the step 2050 of Fig. 2. In the case 
where x is a multiple of P, the result is finally 
corrected in the steps 2130 and 2140 of Fig. 2. 

Fig. 6 is a flow chart showing another 
embodiment of the present invention in which the 
25 Montgomery modular multiplication is employed. In Fig. 
6, "m" denotes the bit length necessary for storing the 
input x and "n" denotes the bit length necessary for 
storing P. The number m is necessarily larger than or 



equal to n (m > n) since 0 < x < P*Q. First, U ? _SQR = 
2 A (n+m)U mod P is calculated according to the flow of 
Fig. 7 by letting L = n + m (6030). In order to 
conduct the process from step 6040, the number of bits 
5 of U f _SQR is required to be m or less, and the 

condition is always satisfied. The process of the step 
6050 can be expressed as: 

(A_R + (-A_R*P A (-1) mod 2"m) *P) /2"m) ...(12) 
Since A_R < 2^n and (-A_R*P A (-1) mod 2"m) < 2^m hold, 
10 the following inequality is satisfied: 

(A_R + (~A_R*P A (-1) mod 2 A m) *P) /2*m) < 1+P ...(13) 
Therefore, A_R after the step 6050 becomes P or less 
and can be expressed by n bits or less. Incidentally, 
A_R becomes equal to P in the step 6050 only when x is 
15 a multiple of P. The process of the steps 6030 through 
6050 can be represented by one expression as: 

A_R = x*2 A (n+m) *2 /v m*2 /s (-m) *2 A (-m) mod P ... (14) 

= x^2 A (n+m+m-m-m) mod P ... (15) 

= x*2"n mod P ... (16) 

20 The subsequent process after the step 6050 can be 
conducted according to the aforementioned process 
starting from the step 2050 of Fig. 2. In the case 
where x is a multiple of P, the result is finally 
corrected in the steps 2130 and 2140 of Fig. 2. 
25 Differently from the previous embodiment of Fig. 5, the 
condition m < 3n is not required in this embodiment. 

Fig. 7 is a flow chart showing a procedure 
for calculating 2 A L*U mod P which is necessary for the 



embodiments of Figs. 5 and 6. The flow of Fig. 7 
calculates W := 2"L*R mod P by means of the addition 
chain starting from the least significant bit. The 
initial value of W is set to w = 2*(2 A m) mod P so as to 
5 be accommodated in m bits. The calculation can be done 
only by conducting modular squaring operation L times 
if the binary expression of L except the most 
significant bit includes no 1, whereas extra 
multiplication becomes necessary on the way if there is 

10 a bit 1 in the binary expression of L except the most 
significant bit. Therefore, a variable "mul", 
indicating whether a bit 1 has been found in the bits 
of L other than the most significant bit or not, is 
prepared (7005) . Step 7010 lets W be accommodated in m 

15 bits, by subtracting a number obtained by shifting P 
until the most significant bit of P comes to the most 
significant bit of m bits. Steps 7020, 7030, 7040 and 
7050 sets the most significant two bits of W to "00", 
which are conducted in order to let the final 

20 calculation result be accommodated in n bits. 

Subsequently, whether the process has reached the most 
significant bit or not is checked (7060) . If the 
process has reached the most significant bit (YES in 
the step 7060), whether the variable mul is 1 or not is 

25 checked (7080) . If the variable mul is 1 (YES in the 
step 7080) , calculation result corresponding to 
intermediate bits of L has already been stored in a 
variable Y, therefore, W is multiplied by Y (7090) to 



give the final result. If the process has not reached 
the most significant bit yet (NO in the step 7060), 
whether the least significant bit of L is 1 or not is 
checked (7070) . If the least significant bit of L is 1 
5 (YES in the step 7070) , the value of W is stored in the 
variable Y. Whether the variable mul is 1 or not is 
checked in step 7100, and if a bit 1 is found for the 
first time in the bits of L other than the most 
significant bit (NO in the step 7100) , the value of W 

10 is substituted into Y (7120) and the variable mul is 
set to 1 (7130) . The process in the step 7120 is 
equivalent to first substituting 1 into Y and 
thereafter executing Y := Y*W. Meanwhile, if a bit 1 
has already been found in the bits of L other than the 

15 most significant bit (YES in the step 7100), Y is 
multiplied by the current value of W (7110) . 
Subsequently, modular squaring is carried out to R by 
Montgomery modular multiplication (7140) and L is 
shifted rightward by 1 bit (7150) . Thereafter, the 

20 process from the step 7060 is repeated. 

The calculation of Y*Y*2 A (-m) mod P of the step 7140 is 
equivalent to: 

(A*A + M*P) / (2 A m) ... (17) 

where : 

25 M = -Y*Y* (P A (-1) ) mod 2 A m < 2 A m ... (18) 

Therefore, the following inequality holds: 

( Y*Y + M*P)/(2 A m) < ( Y*Y + 2 A m*P) / (2 A m) ...(19) 
Meanwhile, if we define "s" as the number of most 
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significant bits 0 when Y is stored in m-bit memory, 



the following inequalities hold: 



Y < 2 A 



(m-s) 



- (20) 



Y < 



(m-s) 



- 1 



. (21) 



5 (Y*Y+2 A m*P) / (2 A m) <= ( (2 A (m-s) -1) A 2+2 A m*P) /2 A m 



. (22) 



= 2 A (m-2s) -2 A (1-s) +2 A (-m) + P 



. (23) 



< 2 A (m-2s) + P+1 



. (24) 



Hence the number s of the most significant bits 0 of 
the calculation result (Y*Y+M*P) /2 A m in the step 7140 

10 changes as s[t+l]: = 2s[t]-l each time (Y*Y+M*P) /2 A m is 
calculated. Thus, when 2 A (m-2s) is larger than P, the 
number of the consecutive most significant bits 0 
becomes s[0]*2 A (t-l) after t time calculations- On the 
other hand, when 2 A (m-2s) has become smaller than P, 

15 the bit length is determined by P. Since the most 

significant two bits of W are set to "00" in. the steps 
7020, 7030, 7040 and 7050 (s[0] = 2), the bit length 
after executing the step 7140 t times becomes m-2 A t or 
n. The bit length equals max(m-L, n) since t = 

20 log2 (L) . 



of the present invention in which an ordinary modular 
multiplication method is employed- In Fig. 8, "m" 
denotes a bit length necessary for storing the input x 
25 and "n" denotes a bit length necessary for storing P. 

First, 2 A n mod P is calculated according to the flow of 
Fig. 9 and the result is substituted into R (8020) . 
Subsequently, the input x is multiplied by R (8030) and 



Fig. 8 is a flow chart showing an embodiment 



a value R_I TOTAL to be used for final correction is 
calculated (8040) . When P is a definite and fixed 
value, R_ITOTAL can be calculated independently of the 
input x and thus it is possible to previously calculate 
5 and prestore R_I TOTAL . In actual calculation, R_INV = 
2 A (-n) mod P is first calculated according to the flow 
of Fig. 10, and R_I TOTAL = (R_INV) ^ (2 /v n-l ) mod P is 
calculated based on R and R_INV according to the flow 
of Fig. 11. Subsequently, the initial value W of the 

10 operation is set to 1 since an ordinary modular 
multiplication method is used, and a value n-1 
indicating the position of the most significant bit is 
first set to a counter i (8050). Subsequently, whether 
each bit value is 1 or not is checked starting from the 

15 highest bit of the exponent (8060) . If the bit value 
is 1 (YES in the step 8060) , the current value W is 
multiplied by A_R - xR mod P (8080) . If the bit value 
is 0 (NO in the step 8060), the current value W is 
multiplied by R (meaning 1) (8070) . Subsequently, the 

20 bit position is shifted rightward by 1 bit by 

decrementing the bit position counter i by 1 (8090) and 
whether the process has been completed for the least 
significant bit or not is checked (8100) . If the 
process has not reached the least significant bit yet 

25 (YES in the step 8100) , the current value W is squared 
(8110) and the above process is conducted for the next 
bit of the exponent. Since the process of the steps 
8070 and 8080 includes the extra multiplication by R 
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every time in comparison with the conventional process, 
the result has been multiplied by extra R A (2 A n-l) at 
the point when the process is completed for the least 
significant bit. Hence the result is finally 
5 multiplied by R_ITOTAL (8120) in order to eliminate the 
effect of the extra multiplication by R A (2 A n-l). 

Fig. 9 is a flow chart showing a procedure 
for calculating 2 A L mod P in the step 8020 of the 
embodiment of Fig. 8. The flow of Fig. 9 calculates 

10 R : — 2 A L mod P by means of the addition chain starting 
from the least significant bit. The calculation can be 
done only by conducting modular squaring operation L 
times if the binary expression of L except the most 
significant bit includes no 1, whereas extra 

15 multiplication becomes necessary on the way if there is 
a bit 1 in the binary expression of L except the most 
significant bit. A variable "mul", indicating whether 
a bit 1 has been found in the bits of L other than the 
most significant bit or not, is prepared and 

20 initialized to 0 (9005), and the value R is initialized 
to 2 (9010). Subsequently, whether the process has 
reached the most significant bit or not is checked 
(9060). If the process has already reached the most 
significant bit (YES in the step 9060) , whether the 

25 variable mul is 1 or not is checked (9080) . If mul = 1 
(YES in the step 9080) , calculation result 
corresponding to intermediate bits of L has already 
been stored in a variable Y, therefore, R is multiplied 



by Y (9090) to give the final result. If the process 
has not reached the most significant bit yet (NO in the 
step 9060) , whether the least significant bit of L is 1 
or not is checked (9070). If the least significant bit 
5 of L is 1 (YES in the step 9070), the storing in the 

variable Y is conducted. Whether the variable mul is 1 
or not is checked in step 9100, and if a bit 1 is found 
for the first time in the bits of L other than the most 
significant bit (NO in the step 9100) , the value of R 

10 is substituted into Y (9120) and the variable mul is 
set to 1 (9130). The process in the step 9120 is 
equivalent to first substituting 1 into Y and 
thereafter executing Y := Y*R. Meanwhile, if a bit 1 
has already been found in the bits of L other than the 

15 most significant bit (YES in the step 9100) , Y is 
multiplied by the current value of R (9110). 
Subsequently, modular squaring is carried out to R 
(9140) and L is shifted rightward by 1 bit (9150). 
Thereafter, the process from the step 9060 is repeated. 

20 Fig. 10 is a flow chart showing a procedure 

for calculating R_INV := 2 /N (-n) mod P in the step 8040 
of the embodiment of Fig. 8. The flow of Fig. 10 
calculates R_INV := 2^ (-L) mod P by means of the 
addition chain starting from the least significant bit. 

25 The calculation can be done only by conducting modular 
squaring operation L times if the binary expression of 
L except the most significant bit includes no 1, 
whereas extra multiplication becomes necessary on the 



- 20 - 

way if there is a bit 1 in the binary expression of L 
except the most significant bit. A variable "mul", 
indicating whether a bit 1 has been found in the bits 
of L other than the most significant bit or not, is 
5 prepared and initialized to 0 (10005) , and the value 

R_INV is initialized to 1/2. The initialization to 1/2 
can be done by shifting 1 rightward once. Since mere 
right shift of 1 gives 0, the right shift is conducted 
after adding P. The value P, being a large prime 

10 number, is necessarily an odd number, hence 1+P is 
necessarily an even number and can be shifted 
rightward. Subsequently, whether the process has 
reached the most significant bit or not is checked 
(10060) . If the process has already reached the most 

15 significant bit (YES in the step 10060), whether the 

variable mul is 1 or not is checked (10080) . If mul - 
1 (YES in the step 10080), calculation result 
corresponding to intermediate bits of L has already 
been stored in a variable Y, therefore, R_INV is 

20 multiplied by Y (10090) to give the final result. If 
the process has not reached the most significant bit 
yet (NO in the step 10060) , whether the least 
significant bit of L is 1 or not is checked (10070). 
If the least significant bit of L is 1 (YES in the step 

25 10070), the storing in the variable Y is conducted. 

Whether the variable mul is 1 or not is checked in step 
10100, and if a bit 1 is found for the first time in 
the bits of L other than the most significant bit (NO 



in the step 10100), the value of R_INV is substituted 
into Y (10120) and the variable mul is set to 1 
(10130) . The process in the step 10120 is equivalent 
to first substituting 1 into Y and thereafter executing 
5 Y := Y*R. Meanwhile, if a bit 1 has already been found 
in the bits of L other than the most significant bit 
(YES in the step 10100), Y is multiplied by the current 
value of R (10110). Subsequently, modular 
multiplication of R and Y is conducted (10140) and L is 

10 shifted rightward by 1 bit (10150) . Thereafter, the 
process from the step 10060 is repeated. 

Fig. 11 is a flow chart showing a procedure 
for calculating R_I TOTAL := (R_INV) A (2 A n-l) mod P in 
the step 8040 of the embodiment of Fig. 8. The 

15 calculation is carried out by multiplying R_INV A (2^n) 
by R as shown in the following equation (26) . The 
multiplicand R_INV A (2 A n) is calculated by repeating 
modular squaring operation n times. 

(R_INV) A (2 A n-l) mod P = R_INV A (2 A n) *R_INV A (-1) mod P 

20 .... (25) 

= R_INV A (2 A n) *R mod P ... (26) 
First, R_IT0TAL is initialized to R_INV (11010) and a 
number "n", indicating the number of times of modular 
squaring operation to be repeated, is substituted into 

25 a variable i as a counter (11020) . In each modular 

squaring operation, the result of modular squaring of 
R_I TOTAL is substituted into R_ITOTAL (11030) and the 
counter variable i is decremented by 1 (11040) . 



Subsequently, the counter variable i is checked 
(11050), and if the counter variable i is larger than 0 
(YES in the step 11050), the process from the step 
11030 is repeated. When the counter variable i reached 
5 0 (NO in the step 11050), the current value R__I TOTAL is 
finally multiplied by R by means of modular 
multiplication and the obtained value is substituted 
into R_I TOTAL (11060) to be returned as the final 
result . 

10 As set forth hereinabove, by the present 

invention, the CRT calculation employing the modular 
exponentiation operation can be carried out without the 
need of directly obtaining the remainder (x mod P) of 
the input value x divided by the secret prime P. 

15 Therefore, it becomes difficult to estimate the secret 
prime P by conventional attacking methods such as 
measuring electric current etc. while changing the 
input x. Fig. 12 shows the bit length and humming 
weight (the number of bits 1 in binary expression) of x 

20 mod P in the case where a conventional calculation 

method is employed, while Fig. 13 shows the bit length 
and humming weight of x*2"n mod P (which corresponds to 
x mod P) in the present invention. An apparent 
dependency relationship is seen in Fig. 12 between 

25 input data and x mod P, whereas the bit length and 
humming weight are almost constant independently of 
input data and such dependency can not be seen in Fig. 
13. 
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Other aspects of the present invention are as 

follows : 

1. A processing method for conducting a 
5 calculation modulo N, wherein: 

an operand of the calculation is previously 
multiplied by a value V obtained as a power of a number 
relatively prime with the modulus N, and 

the result of the above calculation is 
10 multiplied by an inverse element of the value V modulo 
N. 

2. A processing method for conducting a modular 
calculation modulo N, wherein: 

an operand of the modular calculation is 
15 previously multiplied by a value V obtained as a power 
of a number relatively prime with the modulus N, and 

the result of the calculation is multiplied 
by an inverse element of the value V modulo N, and 
the modulus N equals the product of prime 
20 numbers that are larger than 2, and 

the number relatively prime with the modulus 
N equals 2. 

3. An information processing device comprising a 
Montgomery modular multiplication device, for 

25 calculating x*(2"n) mod P for an input value x larger 
than a prime number P, wherein: 

the value x*(2^n) mod P is calculated without 
explicitly obtaining x mod P, by: 
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calculating or previously preparing 2 A (2m+n) 
mod P when the input value x has to be transformed into 
(2 A n) mod P, the number n denoting the number of bits 
necessary and sufficient for storing the modulus P and 
5 the number m denoting the number of bits necessary for 
storing the input value x; 

calculating xl = x*2 A (2m+n) * (2 A (-m) ) mod P = 
x*2 A (m+n) mod P by the Montgomery modular 
multiplication device; and 
10 calculating x2 := xl* (2 A (-m) ) mod P = x* (2 /v n) 

mod P . 

4 . An information processing method for 
calculating x* (2^n) mod P for an input value x larger 
than a prime number P, wherein: 

15 the value x* (2 A n) mod P is calculated without 

explicitly obtaining x mod P, by: 

calculating or previously preparing 2 A (2m+n) 

mod P when the input value x has to be transformed into 

x*(2 A n) mod P, the number n denoting the number of bits 
20 necessary and sufficient for storing the modulus P and 

the number m denoting the number of bits necessary for 

storing the input value x; 

calculating xl = x*2 A (2m+n) * (2 A (-m) ) mod P = 

x*2 A (m+n) mod P by Montgomery modular multiplication; 
25 and 

calculating x2 := xl*(2 /x (-m)) mod P = x* (2 A n) 

mod P. 

5. An information processing device comprising a 
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Montgomery modular multiplication device, for 
calculating x* (2 A n) mod P for an input value x larger 
than a prime number P, wherein: 

the value x* (2 A n) mod P is calculated without 
5 explicitly obtaining x mod P, by: 

calculating or previously preparing 2^ (m+2n) 
mod P when the input value x has to be transformed into 
x*(2 A n) mod P, the number n denoting the number of bits 
necessary and sufficient for storing the modulus P and 
10 the number m denoting the number of bits necessary for 
storing the input value x; 

calculating xl = x*2^ (m+2n) * (2 A (-m) ) mod P = 
x*2^(2n) mod P by the Montgomery modular multiplication 
device; and 

15 calculating x2 := xl*(2 A (-n)) rnod P = xM2 A n) 

mod P . 

6. An information processing method for 
calculating x* (2"n) mod P for an input value x larger 
than a prime number P, wherein: 
20 the value x* (2 /N n) mod P is calculated without 

explicitly obtaining x mod P, by: 

calculating or previously preparing 2 A (m+2n) 
mod P when the input value x has to be transformed into 
x* (2 A n) mod P, the number n denoting the number of bits 
25 necessary and sufficient for storing the modulus P and 
the number m denoting the number of bits necessary for 
storing the input value x; 

calculating xl = x*2 A (m+2n) * (2 A (-m) ) mod P = 



x*2 /v (2n) mod P by Montgomery modular multiplication; 
and 

calculating x2 := xl*(2 A (-n)) mod P = x*(2 A n) 

mod P. 

5 7 . An information processing device for 

conducting a modular exponentiation operation x A d mod P 
for an input value x and an exponent d, by combining 
results of exponentiation operations each of which is 
carried out for each s-bit segment successively 

10 extracted from the exponent d, wherein: 

the value x A d mod P is calculated not by 
calculating x A d[i] mod p, the exponent d[i] denoting i- 
th segment of the extracted s-bit segment of the 
exponent d, but by: 

15 calculating (2 A n) A (2 A n-l) *x A d mod P by use of 

(2 A n) A (2 A s-l)*x A d[i] mod P, the number n denoting the 
number of bits necessary and sufficient for storing the 
modulus P and the number m denoting the number of bits 
necessary for storing the input value x; and 

20 calculating the value x"d mod P by 

multiplying the above result (2 A n) A (2 A n-l) *x A d mod P by 
2" (-n) A (2 A n-l) mod P. 

8. An information processing method for 
conducting a modular exponentiation operation x A d mod P 

25 for an input value x and an exponent d, by combining 
results of exponentiation operations each of which is 
carried out for each s-bit segment successively 
extracted from the exponent d, wherein: 



the value x^d mod P is calculated not by 
calculating x A d[i] mod P, the exponent d[i] denoting i- 
th segment of the extracted s-bit segment of the 
exponent d, but by: 

calculating (2^n) A (2^n-l ) *x /N d mod P by use of 
(2"n) A (2"s-l) *x"d [i] mod P, the number n denoting the 
number of bits necessary and sufficient for storing the 
modulus P and the number m denoting the number of bits 
necessary for storing the input value x; and 

calculating the value x^d mod P by 
multiplying the above result (2 A n) A (2 A n~l) *x A d mod P by 
2^ (-n) A (2 /s n-l) mod P. 

While the present invention has been 
described with reference to the particular illustrative 
embodiments, it is not to be restricted by those 
embodiments but only by the appended claims. It is to 
be appreciated that those skilled in the art can change 
or modify the embodiments without departing from the 
scope and spirit of the present invention. 



